Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Rails
(Rubyonrails)| Repositories | https://github.com/rails/rails |
| #Vulnerabilities | 106 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2008-11-21 | CVE-2008-5189 | CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function. | Rails, Ruby_on_rails | N/A | ||
| 2008-09-30 | CVE-2008-4094 | Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer. | Rails, Ruby_on_rails | N/A | ||
| 2007-11-21 | CVE-2007-6077 | The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks. NOTE: this is due to an incomplete fix for CVE-2007-5380. | Rails, Ruby_on_rails | N/A | ||
| 2007-06-14 | CVE-2007-3227 | Cross-site scripting (XSS) vulnerability in the to_json (ActiveRecord::Base#to_json) function in Ruby on Rails before edge 9606 allows remote attackers to inject arbitrary web script via the input values. | Rails | N/A | ||
| 2006-08-14 | CVE-2006-4112 | Unspecified vulnerability in the "dependency resolution mechanism" in Ruby on Rails 1.1.0 through 1.1.5 allows remote attackers to execute arbitrary Ruby code via a URL that is not properly handled in the routing code, which leads to a denial of service (application hang) or "data loss," a different vulnerability than CVE-2006-4111. | Rails | N/A | ||
| 2006-08-14 | CVE-2006-4111 | Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby code with "severe" or "serious" impact via a File Upload request with an HTTP header that modifies the LOAD_PATH variable, a different vulnerability than CVE-2006-4112. | Rails, Ruby_on_rails | N/A |